Addressing threats to health care's core values, especially those stemming from concentration and abuse of power. Advocating for accountability, integrity, transparency, honesty and ethics in leadership and governance of health care.

Thursday, August 16, 2012

EHR sabotage for ransom: Try this with paper!

I have frequently written that health IT, touted as a technology that will deterministically "transform medicine", allows (aside from clinical chaos) new sorts of problems, such as information security abuses en masse, to occur. See this query link for numerous postings on that topic: http://hcrenewal.blogspot.com/search/label/medical%20record%20privacy

I am not, of course, advocating a return to paper; I am in fact "pro-good IT" but "anti-bad IT."

Details have emerged of an extraordinary data breach incident in which a U.S. medical practice had thousands patient records and emails encrypted by attackers who then demanded a ransom to unscramble the data.

The incident appears to have come to light after a security blogger 'Dissent Doe' noticed a data breach report made by Illinois-based The Surgeons of Lake County medical centre to the US Department of Health and Human Services.

According to a small newswire that reported events, attackers were able to compromise one of the medical centre's servers, encrypting its contents including 7,067 patient records and a quantity of emails.

The first the centre knew about the attack was on 25 June when a ransom note for an undisclosed sum was posted on the server, at which point it was turned off.

It is not clear whether the data was recovered through backups but the organisations reported the incident to the police and Department of Health.

... What marks the compromise out from almost every data breach attack recorded is that the attackers opted to extort the victim organisation rather than attempting to sell or exploit the data itself. [Cyber criminals should never be assumed to be uncreative - ed.]

It remains unlikely that the intention was to abuse this data directly; having occurred only days before the extortion note was received, the criminals would normally want a longer period to execute data and identity theft crimes. Most data theft criminals attempt to go undetected for this reason.

The criminals will, nevertheless, had access to sensitive data including names, addresses, social security and credit cards numbers plus medical records, prompting the centre to inform its affected patents of the breach.

"This is a warning bell. Maybe they're the canary in the coal mine that unpredictable things can happen to data once it's digitized," [you think? - ed.] said Santa Clara University law school professor, Dorothy Glancy, quoted by Bloomberg.

This incident is, quite simply, stunning. In addition to identity theft concerns, a patient whose information was cybernetically 'held hostage' could have suffered clinically as a result.

Contact Us

Email: info at firmfound dot org
or go to the web-site for FIRM - the Foundation for Integrity and Responsibility in Medicine

More About FIRM and Health Care Renewal

FIRM - the Foundation for Integrity and Responsibility in Medicine is a 501(c)3 that researches problems with leadership and governance in health care that threaten core values, and disseminates our findings to physicians, health care researchers and policy-makers, and the public at large. FIRM advocates representative, transparent, accountable and ethical health care governance, and hopes to empower health care professionals and patients to promote better health care leadership.

FIRM depends on contributions from individuals and non-profit organizations. FIRM does not accept any direct support from for-profit health care corporations.

FIRM welcomes support from individuals and non-profit organizations. If you are interested in donating to FIRM, please email info at firmfound dot org, snail mail us at 16 Cutler St, Suite 104, Warren, RI, 02885, USA, or see our web-site.

Subscribe To Health Care Renewal

Policies: Blog Roll and Comments

Our blogroll is meant to include blogs that provide interesting content relevant to what we write. It is not an endorsement in any way of any specific blog.

We accept comments, especially from registered Blogger users. If you do not wish to register with Blogger, we will accept anonymous comments, although prefer that they contain identification of the commenter.

We encourage thoughtful comments relevant to the issues brought up by the posts on Health Care Renewal.

All comments are moderated. We will reject spam, profanity, advertising of products or services not directly related to the content of this blog.

We will reject any unsubstantiated accusations or allegations.

Nonetheless, all comments represent only the opinions of those making them. The appearance of comments does not imply endorsement by the Health Care Renewal bloggers.

Please email general comments about the blog, other concerns, or questions to info AT firmfound DOT org